Attribution of 2015-6 Phishing to APT28

In two influential articles in June 2016, immediately following the Crowdstrike announcement, SecureWorks (June 16 here and June 26 here) purported to connect the DNC hack to a 2015-6 phishing campaign which they attributed to APT28.  SecureWorks identified two malicious domains in their article. In today’s article, I’ll show that infrastructure from one domain are connected to domains identified as APT28 in early literature, while infrastructure from the other domain leads in an unexpected direction.

SecureWorks Phishing Examples

SecureWorks showed two examples of phishing emails in their June 26, 2016 article, both taken from 2015. A distinctive feature of this phishing campaign was the use of bitly links to further camouflage the typosquatting domain.

Their first example was taken from incident reports 3160712 and 3160715, the first asking about a bitly link and the second from the expanded phrase which linked to, a malicious typosquatting domain.

The full syntax of the expressions is not shown in the SecureWorks figures, but, for completeness, is shown below. First, here is the expansion of Bitly 1PXQ8zP+ (presently marked by Bitly as malicious) and the full expression in incident 316-715:

The malicious address contained a webpage exactly emulating a Gmail log-in page at which the target would be invited to enter credentials, after which he would be transferred to his actual login page. Meanwhile, his emails would be harvested by the hackers more or less immediately without him knowing.

Phishtank incidents 3160712 and 3160715 were submitted by user aksana (metadata chopped off in the SecureWorks figure), who was, by coincidence or not, involved with InformNapalm, a Ukrainian hacking group followed by Dmitri Alperovitch of Crowdstrike.

Their second example used a different typosquatting domain ( but otherwise nearly identical syntax to the unpacked Bitly expression shown above (url/continue=*&df=*&tel=1)

In this case, the first parameter in the expression (YZGlmZ…) is the unencrypted base64 expression for the gmail address of an attache in the Embassy of Italy in Australia.

Registrant Email Addresses

SecureWorks didn’t discuss how it attributed the SW-2015 phishing campaign to APT28. However, there is an obvious connection via registrant email for, of which is a subdomain. Its registrant,, is also registrant for numerous domains in the October 2014 PWC inventory of APT28 domains. This is nicely shown in the ThreatCrowd connections graph for, shown below. The two domains, registrant email address are highlighted, as well as two IP addresses ( and, which, for now, are Easter eggs. All the domains linked to andre_roy were previously identified as APT28. Seems pretty

However, registrant and registrant email address for the other phishing domain leads in a different and unexpected direction. A standard Whois lookup for  at yielded registrant Gennadiy Borisov in Varna, Bulgaria, together with registrant email of, screenshot reproduced below.

In the prior post on the Lurk Banking Gang, Gennadiy Borisov and were registrar and registrant email of dozens, if not hundreds, of crimeware domains associated with the Angler exploit kit. (This unexpected appearance of yingw90 is the “Easter egg” promised in the preceding post).

In other words, one of the domains ( in the SW-2015 phishing campaign appears to connect just as strongly (registrar and registrant email) to the Angler malware group as the other domain  ( connects to the APT28 malware group.


APT28 (Fancy Bear) is characterized in computer security literature as a presumed unique hacking group which uses characteristic malware: Sofacy, Chopstick and Eviltoss (or variations thereof, with names varying in the literature). It is characterized by resourcefulness and ingenuity in developing zero-day exploits to deliver the malware. It is usually said to be narrowly focused on defence and government sectors. Two of its most popular delivery methods are a malicious attachment to a document delivered by email or a link to a malicious page of topical interest which downloads malware in the background.

On the other hand, phishing (and credential theft through phishing) is one of the most common and commonplace forms of cybercrime and difficult to attribute. In late 2014, Google researchers examined thousands of phishing incidents, observing that credential theft was used to “send spam, to tap into the social connections of victims to compromise additional accounts or alternatively liquidate a victim’s financial assets”.  They reported that “phishing requests target victims’ email (35%) and banking institutions (21%) accounts, as well as their app stores and social networking credentials”. In the hijacking cases that they analyzed, they found that “most of the hijackers appear to originate from five main countries: China, Ivory Coast, Malaysia, Nigeria, and South Africa”. In late 2014, a computer security analyst, commenting on the Google article, showed examples of typical gmail phishing emails and webpages, noting that they had seen “400+ Google-related phishing URLs” in the previous week:

These just a few examples of the “look and feel” of some of the 400+ Google-related phishing URLs we’ve seen in the past seven days at Malcovery security. Most of them were seen many times each!

The phishing webpages in the 2015-2016 phishing campaign of interest to SecureWorks (the “SW Phishing Campaign”) were no better and no worse than others in the genre.

To my knowledge, there have been no reports of installation of distinctive APT28 malware on the targets of the 2015-2016 phishing campaign studied by SecureWorks (the “SW Campaign” for short). Instead, it was an entirely commonplace attempt to steal credentials, indistinguishable in structure from thousands of similar attempts to steal email, banking and other credentials. It specifically targeted Gmail credentials, which together with Yahoo and Microsoft credentials, are the most popular forms of credential theft. Such campaigns frequently use domain names which “spoof” or “typosquat” the legitimate names – there is nothing distinctive to APT28 or even Russia in that technique. It could be Nigerian or American, just as easily.

Attribution of the phishing campaign to APT28 was therefore done on the basis of infrastructure connections. But while there is an infrastructure association to APT28 but there is also an association to a prominent crimeware gang.

From this, I’m beginning to question how “APT28” is defined and attributed. On the one hand, one sees incidents in which Sofacy and Coreshell/X-Agent are dropped into computers using sophisticated zero-day exploits – these seem useful attributions. On the other hand, one sees incidents of commonplace credential phishing without accompanying Socacy, Coreshell malware, which are attributed by supposed chains of infrastructure e.g. registrant email address or common IP address going back to incidents as far back as 2014, not necessarily well documented.  As an outsider to these attribution arguments, this latter class of attribution seems to me to require lower confidence.  If information is contradictory, then I don’t see how much confidence can be attached at all.



Climate Audit

Dear friends of this aggregator

  • Yes, I intentionally removed Newsbud from the aggregator on Mar 22.
  • Newsbud did not block the aggregator, although their editor blocked me on twitter after a comment I made to her
  • As far as I know, the only site that blocks this aggregator is Global Research. I have no idea why!!
  • Please stop recommending Newsbud and Global Research to be added to the aggregator.

Support this site

News Sources

Source Items
Please Stop the Ride 24
The Infectious Myth 22
Lockdown Skeptics 26
Sam Husseini 32
Dr. Andrew Kaufman 3
Swiss Propaganda Research 20
Off Guardian 82
Cory Morningstar 10
James Bovard 51
WWI Hidden History 51
Grayzone Project 429
Pass Blue 376
Dilyana Gaytandzhieva 17
John Pilger 426
The Real News 367
Scrutinised Minds 29
Need To Know News 3388
FEE 5426
Marine Le Pen 403
Francois Asselineau 25
Opassande 53
HAX on 5July 220
Henrik Alexandersson 1229
Mohamed Omar 404
Professors Blog 10
Arg Blatte Talar 40
Angry Foreigner 19
Fritte Fritzson 12
Teologiska rummet 32
Filosofiska rummet 144
Vetenskapsradion Historia 196
Snedtänkt (Kalle Lind) 262
Les Crises 3958
Richard Falk 220
Ian Sinclair 136
SpinWatch 61
Counter Currents 12609
Kafila 661
Gail Malone 45
Transnational Foundation 221
Rick Falkvinge 95
The Duran 11387
Vanessa Beeley 216
Nina Kouprianova 9
MintPress 6104
Paul Craig Roberts 2571
News Junkie Post 74
Nomi Prins 27
Kurt Nimmo 191
Strategic Culture 6165
Sir Ken Robinson 30
Stephan Kinsella 120
Liberty Blitzkrieg 885
Sami Bedouin 65
Consortium News 2685
21 Century Wire 4143
Burning Blogger 324
Stephen Gowans 102
David D. Friedman 165
Anarchist Standard 16
The BRICS Post 1541
Tom Dispatch 632
Levant Report 18
The Saker 5133
The Barnes Review 603
John Friend 535
Psyche Truth 160
Jonathan Cook 162
New Eastern Outlook 4914
School Sucks Project 1828
Giza Death Star 2186
Andrew Gavin Marshall 28
Red Ice Radio 687
GMWatch 2596
Robert Faurisson 150
Espionage History Archive 35
Jay's Analysis 1177
Le 4ème singe 91
Jacob Cohen 222
Agora Vox 19584
Cercle Des Volontaires 456
Panamza 2611
Fairewinds 121
Project Censored 1254
Spy Culture 628
Conspiracy Archive 85
Crystal Clark 14
Timothy Kelly 649
PINAC 1482
The Conscious Resistance 1056
Independent Science News 91
The Anti Media 6877
Positive News 820
Brandon Martinez 30
Steven Chovanec 61
Lionel 317
The Mind renewed 460
Natural Society 2627
Yanis Varoufakis 1145
Tragedy & Hope 122
Dr. Tim Ball 114
Web of Debt 167
Porkins Policy Review 457
Conspiracy Watch 174
Eva Bartlett 646
Libyan War Truth 373
DeadLine Live 1916
Kevin Ryan 69
Aaron Franz 270
Traces of Reality 166
Revelations Radio News 124
Dr. Bruce Levine 160
Peter B Collins 1795
Faux Capitalism 205
Dissident Voice 11993
Climate Audit 227
Donna Laframboise 511
Judith Curry 1192
Geneva Business Insider 40
Media Monarchy 2738
Syria Report 84
Human Rights Investigation 94
Intifada (Voice of Palestine) 1685
Down With Tyranny 13637
Laura Wells Solutions 50
Video Rebel's Blog 483
Revisionist Review 485
Aletho News 22981
ضد العولمة 27
Penny for your thoughts 3403
Northerntruthseeker 2912
كساريات 37
Color Revolutions and Geopolitics 27
Stop Nato 4889 Blog 3425 Original Content 7682
Corbett Report 2672
Stop Imperialism 491
Land Destroyer 1300
Webster Tarpley Website 1154

Compiled Feeds

Public Lists

Title Visibility
Funny Public